Security | Vulnerability Scans and Assessment Windows

How to enable or disable Windows Defender Credential Guard

credentialguard

Windows Defender Credential Guard can be enabled either by using Group Policy (GPO), Windows registry, or the Hypervisor-Protected Code Integrity (HVCI) or the Windows Defender Credential Guard hardware readiness tool. Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. Starting in Windows 11 Enterprise, version 22H2 and Windows 11 Education, version 22H2, compatible systems have Windows Defender Credential Guard turned on by default. Here are some related guides: How to turn on Windows 10 Tamper Protection for Microsoft Defender, how to find and remove Malware with Microsoft Defender Offline, and how to restore quarantined files in Microsoft Defender Antivirus.

Virtualization-Based Security (VBS) must be enabled in order to run Windows Defender Credential Guard. Starting with Windows 11 Enterprise 22H2 and Windows 11 Education 22H2, devices that meet the requirements to run Windows Defender Credential Guard as well as the minimum requirements to enable VBS will have both Windows Defender Credential Guard and VBS enabled by default.

By enabling Windows Defender Credential Guard, the following features and solutions are provided:

  • Hardware security NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
  • Virtualization-based security Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
  • Better protection against advanced persistent threats When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate other security strategies and architectures.

How does Windows Defender Credential Guard works?

Kerberos, NTLM, and Credential managers isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled the LSA process in the operating system communicates to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and isn’t accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.

For security reasons, the isolated LSA process doesn’t host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.

When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can’t use the signed-in credentials. Thus, single sign-on doesn’t work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren’t protected by Windows Defender Credential Guard with any of these protocols. It is recommended that valuable credentials, such as the sign-in credentials, aren’t to be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.

When Windows Defender Credential Guard is enabled, Kerberos doesn’t allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials but also prompted or saved credentials. Here’s a high-level overview of how the LSA is isolated by using Virtualization-based security.

image-24
Src: Microsoft

Note: Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.

Enable Windows Defender Credential Guard by using Group Policy

You can use Group Policy to enable Windows Defender Credential Guard. When enabled, it will add and enable the virtualization-based security features for you if needed.

To launch the group policy editor, search for group policy from the search window, or open the run command, and run the following command ‘gpedit.msc

image-25

From the Group Policy Management Console, go to the following location below.

Computer Configuration > Administrative Templates > System > Device Guard.
image-26

Select Turn On Virtualization Based Security, and then select the Enabled option.

image-27

In the Select Platform Security Level box, choose Secure Boot or Secure Boot and DMA Protection.

  • In the Credential Guard Configuration box, select Enabled with UEFI lock. If you want to be able to turn off Windows Defender Credential Guard remotely, choose Enabled without lock.
  • In the Secure Launch Configuration box, choose Not ConfiguredEnabled or Disabled.

Enable Windows Defender Credential Guard by using the Windows Registry

If you don’t use Group Policy, you can enable Windows Defender Credential Guard by using the registry. Windows Defender Credential Guard uses virtualization-based security features that have to be enabled first on some operating systems.

Note: Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security isn’t necessary and this step can be skipped. If you're using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security. You may want to see how to update your device. See how to get the Windows 10 Version 22H2 Update in this way, you will not be required to add the virtualization-based security features by using Programs and Features

Open Registry Editor by searching or running the command regedit.exe from the run dialogue box

image-30

Navigate to the following location. As you can see, the DWORD value named LsaCfgFlags is missing. We have to create it.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
image-31

Add a new DWORD value named LsaCfgFlags. Set the value of this registry setting to “1" to enable Windows Defender Credential Guard with UEFI lock, set it to “2” to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it, and then close Registry Editor.

Disabling Windows Defender Credential Guard using Group Policy

Windows Defender Credential Guard can be disabled via several methods explained below, depending on how the feature was enabled. For devices that had Windows Defender Credential Guard automatically enabled in the 22H2 update and didn’t have it enabled prior to the update, it’s sufficient to disable it via Group Policy.

Note: If windows Defender Credential Guard was enabled via Group Policy and without UEFI Lock, disabling the same Group Policy setting will disable Windows Defender Credential Guard.

Disable the Group Policy setting that governs Windows Defender Credential Guard. Navigate to Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization-Based Security.

In the “Credential Guard Configuration” section, set the dropdown value to “Disabled”.

image-32

Disabling Windows Defender Credential Guard using Registry Keys

If Windows Defender Credential Guard was enabled with UEFI Lock, the procedure described in Disabling Windows Defender Credential Guard with UEFI Lock must be followed. The default enablement change in eligible 22H2 devices does not use a UEFI Lock. If Windows Defender Credential Guard was enabled without UEFI Lock and without Group Policy, it’s sufficient to edit the registry keys as described below to disable Windows Defender Credential Guard.

Note: Deleting these registry settings may not disable Windows Defender Credential Guard. They must be set to a value of "0".

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x